[squid-users] Are there any distros with SSL Bump compiled by default?

Amos Jeffries squid3 at treenet.co.nz
Mon May 16 09:25:23 UTC 2016

On 16/05/2016 7:20 p.m., Matus UHLAR - fantomas wrote:
>>> Tim Bates писал 2016-05-14 14:36:
>>> Are there any Linux distros with pre-compiled versions of Squid with SSL
>>> Bump support compiled in?
>>> Alternatively, does anyone reputable do a 3rd party repo for
>>> Debian/Ubuntu that includes SSL Bump?
>>> On 16.05.16 10:36, admin wrote:
>>>> I make deb's compiled squid in Debian 8:
>>>> 3.5.8
>>>> 3.5.17

Please update those to 3.5.19. A dozen CVE's went out these past few
months. :-(

>>>> 4.0.10
>> Matus UHLAR - fantomas писал 2016-05-16 11:55:
>>> OpenSSL?
> On 16.05.16 12:05, admin wrote:
>> Yes
>> Can send to email if needed
> I just wanted to point out that distrib uting GPL'ed software (squid)
> depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation
> and
> therefore illegal copying...

What is being attempted above is not a GPL violation AFAIK. So long as
the Squid ./configure && make system is used to construct the binary and
Squid source is not altered in any way by the builder.

* GPL permits linking against OpenSSL because both softwares sources are
available publicly.

* It is GPL violation to distribute the OpenSSL and Squid sources
together as parts of someting else. In source form.

Thus distributors like Diladele can provide binary-only formats with no
source changes to Squid or OpenSSL.
  Each component of the offering is publicly available (GPL compliant)
and the pieces of OpenSSL, Squid and the packaging source code are
distributed via separate channels (OpenSSL compliant).

Debian and Ubuntu distribute sources of all binaries as part of their OS
repository. The very act of adding package install scripts causes the
issue here. The repository would contain all of Squid + OpenSSL +
packaging scripts source code.

But, but, but....

* It is OpenSSL violation to distribute any binary that does not
advertise OpenSSL usage. In the binary outputs, even those not using
OpenSSL logic (Ouch!). Unless the OS provides the library as part of its
core system.

Debian and Ubuntu use GnuTLS as the system preferrd library. OpenSSL
license not being GPL compliant also makes it not DFSG compliant and so
not part of the core OS repository. It and anything using it are in the
non-free optional extras repository instead.
 There are some suggestions to build and put a version of Squid in
there. But that still collides with the previous GPL issue about sources
being together in the repo.

Adding advertising clauses in the way required by OpenSSL would make
Squid binaries no longer be GPL compliant unless we got explicit written
permission from everyone who contributed patches. A lot of contributors
have long-dead emails, requested anonimity or some in fact are now
physically deceased. So we are stuck at our end as well even with that.

I am working on GnuTLS support as a side project, and the OpenSSL people
are apparently working on fixing their license to be GPL compliant. It
is a lot of work and going quite slow on both fronts. You can see some
of my work reflected in the squid.conf changes of Squid-4, and the
latest Debian/Ubuntu squidclient packages :-)


More information about the squid-users mailing list